15.5. Summary

Security in your ASP.NET site can be implemented with several techniques, including Windows authentication (where the web server takes care of authentication) or third-party authentication (where an external service like Microsoft Passport takes care of validating the user). Last, you can use Forms authentication, which is the de facto standard for many of today's ASP.NET web sites.

In general, authentication encompasses three important concepts: identity, authentication, and authorization. Identity describes who you are and represents you on a web site. During the process of authentication, you hand over proof that verifies your identity. With ASP.NET web sites, this proof is sent in the form of a user name and password that are then validated against a user data store. Authorization deals with the things you are allowed to do within the system. For example, as an anonymous user you are not allowed to access the files in the Management folder of the site. As soon as you log in with an account that does have the correct permissions, you can browse to these files successfully.

The Membership provider allows you to create and manage users in a central database. Users can create their own accounts using controls like the CreateUserWizard or you can manage the user accounts using the built-in Web Site Administration Tool. With the login controls users can independently manage their own account: they can retrieve a lost password or change their existing password. The ...

Get Beginning ASP.NET 3.5: In C# and VB now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.